User equipment authentication preventing sequence number leakage

ABSTRACT

Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.

FIELD

The field relates generally to communication systems, and moreparticularly, but not exclusively, to security management within suchsystems.

BACKGROUND

This section introduces aspects that may be helpful in facilitating abetter understanding of the inventions. Accordingly, the statements ofthis section are to be read in this light and are not to be understoodas admissions about what is in the prior art or what is not in the priorart.

Fourth generation (4G) wireless mobile telecommunications technology,also known as Long Term Evolution (LTE) technology, was designed toprovide high capacity mobile multimedia with high data ratesparticularly for human interaction. Next generation or fifth generation(5G) technology is intended to be used not only for human interaction,but also for machine type communications in so-called Internet of Things(IoT) networks.

While 5G networks are intended to enable massive IoT services (e.g.,very large numbers of limited capacity devices) and mission-critical IoTservices (e.g., requiring high reliability), improvements over legacymobile communication services are supported in the form of enhancedmobile broadband (eMBB) services providing improved wireless Internetaccess for mobile devices.

In an example communication system, user equipment (5G UE in a 5Gnetwork or, more broadly, a UE) such as a mobile terminal (subscriber)communicates over an air interface with a base station or access pointof an access network referred to as a 5G AN in a 5G network. The accesspoint (e.g., gNB) is illustratively part of an access network of thecommunication system. For example, in a 5G network, the access networkreferred to as a 5G AN is described in 5G Technical Specification (TS)23.501, entitled “Technical Specification Group Services and SystemAspects; System Architecture for the 5G System,” the disclosure of whichis incorporated by reference herein in its entirety. In general, theaccess point (e.g., gNB) provides access for the UE to a core network(CN or 5GC), which then provides access for the UE to other UEs and/or adata network such as a packet data network (e.g., Internet).

TS 23.501 goes on to define a 5G Service-Based Architecture (SBA) whichmodels services as network functions (NFs) that communicate with eachother using representational state transfer application programminginterfaces (Restful APIs).

Furthermore, 5G Technical Specification (TS) 33.501, entitled “TechnicalSpecification Group Services and System Aspects; Security Architectureand Procedures for the 5G System,” the disclosure of which isincorporated by reference herein in its entirety, further describessecurity management details associated with a 5G network.

Security management is an important consideration in any communicationsystem. However, due to continuing attempts to improve the architecturesand protocols associated with a 5G network in order to increase networkefficiency and/or subscriber convenience, security management issuesassociated with user equipment authentication can present a significantchallenge.

SUMMARY

Illustrative embodiments provide techniques for preventing sequencenumber leakage during user equipment authentication in a communicationnetwork.

For example, in one illustrative embodiment, a method comprisesobtaining a permanent identifier and an authentication sequence valuethat are unique to user equipment, concealing the permanent identifierand the authentication sequence value, and sending the concealedpermanent identifier and the authentication sequence value in aregistration message from the user equipment to a communication network.Then, advantageously, in response to receipt of an authenticationfailure message from the communication network, the user equipment cansend a response message to the communication network containing afailure cause indication without a re-synchronization token.

In another illustrative embodiment, a method comprises receiving, at anetwork entity of a communication network, a registration message thatcomprises a concealed combination of a permanent identifier and anauthentication sequence value that are unique to user equipment, causingde-concealment of the permanent identifier and the authenticationsequence value, storing the received authentication sequence value foruse in a later step of authentication failure, and determining anauthentication method based on the permanent identifier. Then,advantageously, in response to receipt of an authentication request forthe user equipment following an authentication failure of the userequipment, the network entity can utilize the stored authenticationsequence value received in the registration message to generate a newauthentication vector for use in authenticating the user equipment.

Further illustrative embodiments are provided in the form of anon-transitory computer-readable storage medium having embodied thereinexecutable program code that when executed by a processor causes theprocessor to perform the above steps. Still further illustrativeembodiments comprise apparatus with a processor and a memory configuredto perform the above steps.

These and other features and advantages of embodiments described hereinwill become more apparent from the accompanying drawings and thefollowing detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a communication system with which one or moreillustrative embodiments may be implemented.

FIG. 2 illustrates user equipment and at least one network entity withwhich one or more illustrative embodiments may be implemented.

FIG. 3 illustrates a service-based architecture for a communicationsystem within which one or more illustrative embodiments may beimplemented.

FIG. 4 illustrates an encryption scheme for user equipment, according toan illustrative embodiment.

FIG. 5 illustrates a decryption scheme for user equipment, according toan illustrative embodiment.

FIG. 6 illustrates a subscription concealed identifier, according to anillustrative embodiment.

FIG. 7 illustrates a methodology for preventing sequence number leakageduring user equipment authentication, according to an illustrativeembodiment.

FIG. 8 illustrates a methodology for an authentication success case,according to an illustrative embodiment.

FIG. 9 illustrates a methodology for an authentication failure case,according to an illustrative embodiment.

DETAILED DESCRIPTION

Embodiments will be illustrated herein in conjunction with examplecommunication systems and associated techniques for security managementin communication systems. It should be understood, however, that thescope of the claims is not limited to particular types of communicationsystems and/or processes disclosed. Embodiments can be implemented in awide variety of other types of communication systems, using alternativeprocesses and operations. For example, although illustrated in thecontext of wireless cellular systems utilizing 3GPP system elements suchas a 3GPP next generation system (5G), the disclosed embodiments can beadapted in a straightforward manner to a variety of other types ofcommunication systems.

In accordance with illustrative embodiments implemented in a 5Gcommunication system environment, one or more 3GPP technicalspecifications (TS) and technical reports (TR) may provide furtherexplanation of network elements/functions and/or operations that mayinteract with parts of the inventive solutions, e.g., theabove-referenced 3GPP TS 23.501 and 3GPP TS 33.501. Other 3GPP TS/TRdocuments may provide other conventional details that one of ordinaryskill in the art will realize. For example, 5G TS 29.509, entitled“Technical Specification Group Core Network and Terminals; 5G System;Authentication Server Services” and 5G TS 29.510, entitled “TechnicalSpecification Group Core Network and Terminals; 5G System; NetworkFunction Repository Services,” the disclosures of which are incorporatedby reference herein in their entireties, may be mentioned below in thecontext of some illustrative embodiments. Still further, 3GPP TS 33.102,entitled “Technical Specification Group Services and System Aspects; 3GSecurity; Security Architecture” and 3GPP TR 33.846, entitled “TechnicalSpecification Group Services and System Aspects; Study on AuthenticationEnhancements in 5G System,” the disclosures of which are incorporated byreference herein in their entireties, may also be mentioned below in thecontext of some illustrative embodiments.

However, while well-suited for 5G-related 3GPP standards, embodimentsare not necessarily intended to be limited to any particular standards.

Illustrative embodiments are related to user equipment authentication in5G networks. Prior to describing such illustrative embodiments, ageneral description of main components of a 5G network will be describedbelow in the context of FIGS. 1 and 2 .

FIG. 1 shows a communication system 100 within which illustrativeembodiments are implemented. It is to be understood that the elementsshown in communication system 100 are intended to represent mainfunctions provided within the system, e.g., UE access functions,mobility management functions, authentication functions, serving gatewayfunctions, etc. As such, the blocks shown in FIG. 1 reference specificelements in 5G networks that provide these main functions. However,other network elements may be used to implement some or all of the mainfunctions represented. Also, it is to be understood that not allfunctions of a 5G network are depicted in FIG. 1 . Rather, at least somefunctions that facilitate an explanation of illustrative embodiments arerepresented. Subsequent figures may depict some additionalelements/functions (i.e., network entities).

Accordingly, as shown, communication system 100 comprises user equipment(UE) 102 that communicates via an air interface 103 with an access point(gNB) 104. The UE 102 may be a mobile station, and such a mobile stationmay comprise, by way of example, a mobile telephone, a computer, or anyother type of communication device. The term “user equipment” as usedherein is therefore intended to be construed broadly, so as to encompassa variety of different types of mobile stations, subscriber stations or,more generally, communication devices, including examples such as acombination of a data card inserted in a laptop or other equipment suchas a smart phone. Such communication devices are also intended toencompass devices commonly referred to as access terminals.

In one embodiment, UE 102 is comprised of a Universal Integrated CircuitCard (UICC) part and a Mobile Equipment (ME) part. The UICC is theuser-dependent part of the UE and contains at least one UniversalSubscriber Identity Module (USIM) and appropriate application software.The USIM securely stores a permanent subscription identifier and itsrelated key, which are used to uniquely identify and authenticatesubscribers to access networks. The ME is the user-independent part ofthe UE and contains terminal equipment (TE) functions and various mobiletermination (MT) functions.

Note that, in one example, the permanent subscription identifier is anInternational Mobile Subscriber Identity (IMSI) unique to the UE. In oneembodiment, the IMSI is a fixed 15-digit length and consists of a3-digit Mobile Country Code (MCC), a 2-digit or 3-digit Mobile NetworkCode (MNC), and a 9-digit or 10-digit Mobile Station IdentificationNumber (MSIN). In a 5G communication system, an IMSI is referred to as aSubscription Permanent Identifier (SUPI). In the case of an IMSI as aSUPI, the MSIN provides the subscriber identity. Thus, only the MSINportion of the IMSI typically needs to be encrypted. The MNC and MCCportions of the IMSI provide routing information, used by the servingnetwork to route to the correct home network. When the MSIN of a SUPI isencrypted, it is referred to as Subscription Concealed Identifier(SUCI).

Another example of a SUPI uses a Network Access Identifier (NAI). NAI istypically used for IoT communication.

The access point 104 is illustratively part of an access network of thecommunication system 100. Such an access network may comprise, forexample, a 5G System having a plurality of base stations and one or moreassociated radio network control functions. The base stations and radionetwork control functions may be logically separate entities, but in agiven embodiment may be implemented in the same physical networkelement, such as, for example, a base station router or cellular accesspoint.

The access point 104 in this illustrative embodiment is operativelycoupled to mobility management functions 106. In a 5G network, themobility management function is implemented by an Access and MobilityManagement Function (AMF). A Security Anchor Function (SEAF) can also beimplemented with the AMF connecting a UE with the mobility managementfunction. A mobility management function, as used herein, is the elementor function (i.e., entity) in the core network (CN) part of thecommunication system that manages or otherwise participates in, amongother network operations, access and mobility (includingauthentication/authorization) operations with the UE (through the accesspoint 104). The AMF may also be referred to herein, more generally, asan access and mobility management entity.

The AMF 106 in this illustrative embodiment is operatively coupled tohome subscriber functions 108, i.e., one or more functions that areresident in the home network of the subscriber. As shown, some of thesefunctions include the Unified Data Management (UDM) function, as well asan Authentication Server Function (AUSF). The AUSF and UDM (separatelyor collectively) may also be referred to herein, more generally, as anauthentication entity or authentication entities. Further, anAuthentication Credential Repository and Processing Function (ARPF) canbe utilized in conjunction with the UDM. In addition, home subscriberfunctions may also include, but are not limited to, Network SliceSelection Function (NSSF), Network Exposure Function (NEF), NetworkRepository Function (NRF), Policy Control Function (PCF), andApplication Function (AF).

Note that a UE, such as UE 102, is typically subscribed to what isreferred to as a Home Public Land Mobile Network (HPLMN) in which someor all of the home subscriber functions 108 reside. If the UE is roaming(not in the HPLMN), it is typically connected with a Visited Public LandMobile Network (VPLMN) also referred to as a visited or serving network.Some or all of the mobility management functions 106 may reside in theVPLMN, in which case, functions in the VPLMN communicate with functionsin the HPLMN as needed. However, in a non-roaming scenario, mobilitymanagement functions 106 and home subscriber functions 108 can reside inthe same communication network. Furthermore, one or more of subscriberfunctions 108 can be part of a VPLMN if appropriate in certaincircumstances. Embodiments described herein are not limited by whichfunctions reside in which PLMN (i.e., HPLMN or VPLMN).

The access point 104 is also operatively coupled (via one or more offunctions 106 and/or 108) to a serving gateway function, i.e., SessionManagement Function (SMF) 110, which is operatively coupled to a UserPlane Function (UPF) 112. UPF 112 is operatively coupled to a PacketData Network, e.g., Internet 114. Further typical operations andfunctions of such network elements are not described here since they arenot the focus of the illustrative embodiments and may be found inappropriate 3GPP 5G documentation. Note that functions shown in 106,108, 110 and 112 are examples of network functions (NFs).

It is to be appreciated that this particular arrangement of systemelements is an example only, and other types and arrangements ofadditional or alternative elements can be used to implement acommunication system in other embodiments. For example, in otherembodiments, the system 100 may comprise other elements/functions notexpressly shown herein.

Accordingly, the FIG. 1 arrangement is just one example configuration ofa wireless cellular system, and numerous alternative configurations ofsystem elements may be used. For example, although only singleelements/functions are shown in the FIG. 1 embodiment, this is forsimplicity and clarity of description only. A given alternativeembodiment may of course include larger numbers of such system elements,as well as additional or alternative elements of a type commonlyassociated with conventional system implementations.

It is also to be noted that while FIG. 1 illustrates system elements assingular functional blocks, the various subnetworks that make up the 5Gnetwork are partitioned into so-called network slices. Network slices(network partitions) comprise a series of network function (NF) sets(i.e., function chains) for each corresponding service type usingnetwork function virtualization (NFV) on a common physicalinfrastructure. The network slices are instantiated as needed for agiven service, e.g., eMBB service, massive IoT service, andmission-critical IoT service. A network slice or function is thusinstantiated when an instance of that network slice or function iscreated. In some embodiments, this involves installing or otherwiserunning the network slice or function on one or more host devices of theunderlying physical infrastructure. UE 102 is configured to access oneor more of these services via gNB 104.

FIG. 2 is a block diagram of user equipment and a network entity forproviding authentication in a communication system in an illustrativeembodiment. System 200 is shown comprising user equipment 202 and anetwork entity 204.

It is to be appreciated that user equipment 202 represents one exampleof UE 102 described above in the context of FIG. 1 . It is to be furtherappreciated that the network entity 204 represents any network entities(network functions, nodes, components, elements, services, etc.) thatare configured to provide security management and other techniquesdescribed herein, for example, but not limited to, AMF, SEAF, UDM, ARPF,AUSF, NSSF, NEF, NRF, PCF and AF such as are part of an SBA-based 5Gcore network (which is part of an HPLMN, VPLMN, or both).

Network entity 204 can also be a network function, node, component,element, service, etc., external to the SBA-based 5G core network, i.e.,a third-party external enterprise network. Further, network entity 204can represent one or more processing devices configured to orchestrateand manage instantiation of one or more network functions (or othersecurity management entities) within an SBA-based 5G core network or anycommunication network. Instantiation of a network function is describedin the various 3GPP standards and otherwise well known to those ofordinary skill in the art.

User equipment 202 comprises a processor 212 coupled to a memory 216 andinterface circuitry 210. The processor 212 of user equipment 202includes a security management processing module 214 that may beimplemented at least in part in the form of software executed by theprocessor. The processing module 214 performs operations associated withsecurity management as described in conjunction with subsequent figuresand otherwise herein. The memory 216 of user equipment 202 includes asecurity management storage module 218 that stores data generated orotherwise used during security management operations.

The network entity 204 comprises a processor 222 coupled to a memory 226and interface circuitry 220. The processor 222 of the network entity 204includes a security management processing module 224 that may beimplemented at least in part in the form of software executed by theprocessor 222. The processing module 224 performs operations associatedwith security management as described in conjunction with subsequentfigures and otherwise herein. The memory 226 of the network entity 204includes a security management storage module 228 that stores datagenerated or otherwise used during security management operations.

The processors 212 and 222 may comprise, for example, microprocessors,application-specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), digital signal processors (DSPs) or other types ofprocessing devices or integrated circuits, as well as portions orcombinations of such elements. Such integrated circuit devices, as wellas portions or combinations thereof, are examples of “circuitry” as thatterm is used herein. A wide variety of other arrangements of hardwareand associated software or firmware may be used in implementing theillustrative embodiments. In addition, illustrative embodiments may berealized in a completely virtualized environment using software, runningon a cloud platform, to emulate the various network functions.

The memories 216 and 226 may be used to store one or more softwareprograms that are executed by the respective processors 212 and 222 toimplement at least a portion of the functionality described herein. Forexample, security management operations and other functionality asdescribed in conjunction with subsequent figures and otherwise hereinmay be implemented in a straightforward manner using software codeexecuted by processors 212 and 222.

A given one of the memories 216 or 226 may therefore be viewed as anexample of what is more generally referred to herein as a computerprogram product or still more generally as a processor-readable storagemedium that has executable program code embodied therein. Other examplesof processor-readable storage media may include disks or other types ofmagnetic or optical media, in any combination. Illustrative embodimentscan include articles of manufacture comprising such computer programproducts or other processor-readable storage media.

The memory 216 or 226 may more particularly comprise, for example, anelectronic random-access memory (RAM) such as static RAM (SRAM), dynamicRAM (DRAM) or other types of volatile or non-volatile electronic memory.The latter may include, for example, non-volatile memories such as flashmemory, magnetic RAM (MRAM), phase-change RAM (PC-RAM) or ferroelectricRAM (FRAM). The term “memory” as used herein is intended to be broadlyconstrued, and may additionally or alternatively encompass, for example,a read-only memory (ROM), a disk-based memory, or other type of storagedevice, as well as portions or combinations of such devices.

The interface circuitries 210 and 220 illustratively comprisetransceivers or other communication hardware or firmware that allows theassociated system elements to communicate with one another in the mannerdescribed herein.

It is apparent from FIG. 2 that user equipment 202 is configured forcommunication with network entity 204 and vice-versa via theirrespective interface circuitries 210 and 220. This communicationinvolves user equipment 202 sending data to the network entity 204, andthe network entity 204 sending data to the user equipment 202. However,in alternative embodiments, other network elements may be operativelycoupled between user equipment 202 and network entity 204. The term“data” as used herein is intended to be construed broadly, so as toencompass any type of information that may be sent between userequipment and a network entity, as well as between network entities,including, but not limited to, messages, identifiers, keys, indicators,user data, control data, etc.

It is to be appreciated that the particular arrangement of componentsshown in FIG. 2 is an example only, and numerous alternativeconfigurations may be used in other embodiments. For example, any givennetwork entity can be configured to incorporate additional oralternative components and to support other communication protocols.

Other system elements such as gNB 104 may each also be configured toinclude components such as a processor, memory and network interface.These elements need not be implemented on separate stand-aloneprocessing platforms, but could instead, for example, representdifferent functional portions of a single common processing platform.

Still further, while FIG. 2 illustrates example architectures andinterconnectivity between user equipment and a network entity, FIG. 2can also represent example architectures and interconnectivity betweenmultiple network entities (e.g., 202 can represent one network entityoperatively coupled to another network entity in the form of networkentity 204). More generally, FIG. 2 can be considered to represent twoprocessing devices configured to provide respective security managementfunctionalities and operatively coupled to one another in acommunication system.

The architecture for 5G systems is currently being standardized in 3GPP.As mentioned above, the 3GPP TS 23.501 defines the 5G systemarchitecture as service-based, e.g., Service-Based Architecture (SBA).FIG. 3 illustrates a general 5G SBA implementation 300 as furtherdescribed in 3GPP TS 23.501. Note that the network entities(elements/functions) in FIG. 3 are the same or similar to thosedescribed above in the context of FIGS. 1 and 2 . The notation of acapital “N” in front of the network entity name (e.g., Nausf) denotesthe SBA-based interface within the core network used to access theparticular network entity (e.g., AUSF).

It is realized herein that in deploying different NFs, as depicted inFIG. 3 , there can be many situations where an NF may need to interactwith an entity external to the SBA-based 5G core network (e.g.,including the corresponding PLMN(s), e.g., HPLMN and VPLMN). Thus, theterm “internal” as used herein illustratively refers to operationsand/or communications within the SBA-based 5G core network (e.g.,SBA-based interfaces) and the term “external” illustratively refers tooperations and/or communications outside the SBA-based 5G core network(non-SBA interfaces). By way of example only, AUSF may need to interactwith an authentication, authorization, and accounting (AAA) servermanaged by a third-party enterprise (“third-party” here illustrativelyrefers to a party other than the network operator of the SBA-based 5Gcore network). Using conventional 5G approaches, this results in AUSFsupporting multiple services both internally and externally at the sametime. Internally, AUSF may provide services to AMF, SMF, NEF, UDM, etc.,while at the same time interacting with an external AAA server (e.g., anexternal NF configured for network slice authentication) which may beowned and operated by a third-party entity. More generally, in a 5G corenetwork, each NF provides a defined set of services (acting as serviceproducers) to other NFs (service consumers). Each NF can be a serviceproducer for one service and service consumer for another service.

It is to be appreciated that a primary authentication procedure betweena UE and the 5G core network is based on an Authentication and KeyAgreement (AKA) challenge being sent from a home environment (HE orHPLMN) to the UE (e.g., as defined in the above-referenced TS 33.501).Note that the terms “home environment,” “home network,” and “home PLMN”may be used interchangeably herein. The AKA challenge contains a randomnumber, RAND, and an authentication token, AUTN. AUTN comprises anauthentication sequence number, SQN, which is maintained per usersubscription in the HE and is incremented by HE for every authenticationprocedure. These values are passed in encrypted form and only the USIMcan verify if the challenge is fresh or results in a synchronizationfailure.

When the UE receives a challenge that is not fresh (i.e., the referenceSQN sent by the network is out of range), the UE responds on thechallenge with a synchronization failure message that contains a value,AUTS (e.g., as described in the above-referenced TS 33.102).

AUTS (Authentication Token for Synchronization Failure) functions as are-synchronization token that contains, in encrypted form, the value SQNthat is maintained by the UE in the UICC, which can be interpreted asthe lowest value the UE is willing to accept. Moreover, AUTS contains amessage authentication code (MAC) that proves that AUTS was actuallycomputed by the UE (which has a USIM containing the root key K) and hasnot been tampered.

When the network receives a valid AUTS from the UE, the network maps itsown SQN value to the one received from the UE. This is how SQNre-synchronization happens when the sequence number maintained at the HEand the UE gets out of synchronization.

Problems with the above-described SQN-based AKA challenge procedure havebeen identified. For example, the freshness parameter for thecalculation of AK (the keystream that protects the SQN returned to thenetwork) during a re-synchronization in AKA is the random number RANDfrom the challenge. An attacker can force the re-use of RAND and hencethe keystream AK may be used multiple times to protect different SQNs.The attacker could leverage the authentication failure feedback from theUE side and conduct an activity monitoring attack to break subscribers'privacy.

Further, the re-use of a keystream allows an attacker to obtain theExclusive-OR (XOR) value between two different SQNs. It has been shownin a primary authentication procedure, how this property in conjunctionwith issuing fresh challenges can enable an attacker to estimate theleast significant bits of the SQN. Hence, some information about the SQNcan leak despite the encryption of SQN, which leads to a privacy leakageof the subscribers. It is realized that the protection of SQN during AKAre-synchronizations should prevent the information leakage of SQNvalues.

Illustrative embodiments overcome the above and other challenges byintroducing a new SUPI type as ‘SUPI plus SQN_(MS)’, wherein SQN_(MS) isincluded in SUCI generation, and wherein SUCI is computed as encrypted[SUPI concatenated with SQN_(MS)]. The UDM decrypts the received [SUPIconcatenated with SQN_(MS)] to gain SUPI and SQN_(MS). SQN_(MS) isstored in UDM for use in a later step. Note that the subscript “MS” inSQN_(MS) stands for Mobile Subscriber to distinguish this unique valuecomputed by the UE from SQN_(HE) which is the SQN computed and locallymaintained by the HE. SQN_(MS) may also be, more generally, referred toherein as an authentication sequence value.

At the UDM, authentication vector generation is kept the same as in thecurrent scheme using the shared key (K) and the existing SQN_(HE). Incase of authentication failure at the UE due to SQN mismatch, since thecurrent SQN_(MS) has already been sent by the UE in an encrypted formatand is already stored in the UDM, exchange of SQN_(MS) is avoided which,as mentioned above, could otherwise be exploited by the attacker. TheUDM uses the stored SQN_(MS) for sequence number (SQN)re-synchronization.

In illustrative embodiments, the current usage of Elliptic CurveIntegrated Encryption Scheme (ECIES) for concealment of SUPI can beexpanded to accommodate SQN_(MS) and SUPI. Since the maximum allowedsize of a cipher text from concealment according to the ECIES protectionscheme output is 3000 digits (e.g., see TS 33.501) and since SUPIutilizes only a few bytes of those maximum allowed digits, SQN_(MS) canbe accommodated by adapting the concealed part of SUPI. In the casewhere the SUPI type is an IMSI, then MSIN (9 to 10 digits) is the onlyvalue in plain text block considered for concealment using symmetricencryption in the UE (currently followed in 3GPP procedures). Thus, inillustrative embodiments, the above procedure is modified to includeSQN_(MS) (48 bits: 6 bytes) from the UE by concatenating (moregenerally, combining) SQN_(MS) with the MSIN (9 to 10 digits) of theSUPI. This concatenated plain text block is encrypted at the UE and sentin a registration request to HE. At HE (i.e., at UDM/ARPF),de-concealment is performed to retrieve SQN_(MS) and SUPI.

FIG. 4 shows an encryption scheme 400 based on ECIES executed at the UEside. It is to be understood that the steps shown in the encryptionscheme 400 are executed in a manner equivalent to how the current ECIESscheme is typically executed with the exception of the adaptation, inaccordance with an illustrative embodiment, of concatenating the SUPIwith SQN_(MS) and taking the concatenated result as one plain text blockfor symmetric encryption. For example, in case of the SUPI type as anIMSI, then MSIN (9 to 10 digits) and SQN_(MS) (48 bits: 6 bytes) areconcatenated in the UE. More particularly, as shown, ephemeral key pairgeneration occurs in step 402. Key agreement is then performed in step404, followed by key derivation in step 406. Symmetric encryption isperformed in step 408 on the plain text block 409 which is theconcatenation of SUPI and SQN_(MS), as explained above. Lastly, MACgeneration occurs in step 410.

FIG. 5 shows a decryption scheme 500 based on ECIES executed at the HEside. It is to be understood that the steps shown in the decryptionscheme 500 are executed similar to how the current ECIES scheme istypically executed with the adaptation, in accordance with anillustrative embodiment, of dissociating SUPI and SQN_(MS) aftersymmetric decryption of the encrypted block received from the UE(generated in FIG. 4 ). More particularly, as shown, key agreementoccurs in step 502, followed by key derivation in step 504. Symmetricdecryption is performed in step 506 on the cipher text block to obtainSUPI and SQN_(MS) (block 507) in accordance with the illustrativeembodiment and as explained above. Lastly, MAC verification occurs instep 508.

FIG. 6 shows a data structure 600 of a SUCI that contains a SUPI type infield 602, which includes values in the range 0 to 7. The SUPI typefield 602 identifies the type of the SUPI concealed in the SUCI. Theencoding of SUCI for ‘SUPI plus SQN_(MS)’ is represented by a new SUPItype value, by way of example only, value 4 in the field 602. The otherfields shown in SUCI structure 600 include home network (or HE)identifier field 604, routing indicator field 606, protection schemeidentifier field 608, home network public key identifier field 610, andscheme output field 612, which are typical fields in a SUCI structure.

FIG. 7 illustrates a methodology 700 for preventing sequence numberleakage during user equipment authentication, according to anillustrative embodiment. More particularly, FIG. 7 is an illustration ofa UE and its HE (HPLMN) sharing SQN_(MS) along with the SUCI, which asmentioned above prevents malicious actors from obtaining sequence numberinformation. As illustratively depicted, methodology 700 comprisessteps/operations executed by, and message/call flows between, a UE 702,an AMF/SEAF 704, an AUSF 706, and a UDM/ARPF 708.

In step 1, during a primary authentication procedure, the USIM of UE 702concatenates SUPI and SQN_(MS). The concatenated plain text block isencrypted using ECIES method, as described above in the context of FIG.4 . In accordance with illustrative embodiments, a new value isintroduced for “SUPI Type,” e.g., value 4 represents SUCI encoded with‘SUPI plus SQN_(MS)’.

In step 2, UE 702 uses SUCI (containing SQN_(MS)) in a registrationrequest message sent to AMF/SEAF 704.

In step 3, AMF/SEAF 704 invokes the Nausf_UEAuthentication service bysending a Nausf_UEAuthentication_Authenticate Request message to AUSF706 whenever AMF/SEAF 704 wishes to initiate an authentication. TheNausf_UEAuthentication_Authenticate Request message contains either:

(i) SUCI containing SQN_(MS), as defined herein, or

(ii) SUPI, as defined in the above-referenced TS 23.501.

AMF/SEAF 704 includes the SUPI in theNausf_UEAuthentication_Authenticate Request message in case AUSF 706 hasa valid 5G-GUTI and re-authenticates UE 702. Otherwise, the SUCIcontaining SQN_(MS) is included in Nausf_UEAuthentication_AuthenticateRequest. The Nausf_UEAuthentication_Authenticate Request may furthercontain the serving network name.

Upon receiving the Nausf_UEAuthentication_Authenticate Request message,AUSF 706 checks that the requesting AMF/SEAF 704 in the serving networkis entitled to use the serving network name in theNausf_UEAuthentication_Authenticate Request by comparing the servingnetwork name with the expected serving network name. AUSF 706 stores thereceived serving network name temporarily. If the serving network is notauthorized to use the serving network name, AUSF 706 responds with“serving network not authorized” in theNausf_UEAuthentication_Authenticate Response (not expressly shown).

In step 4, assuming the serving network is authorized, AUSF 706 sendsthe Nudm_UEAuthentication_Get Request to UDM/ARPF 708. TheNudm_UEAuthentication_Get Request includes: SUCI containing SQN_(MS) orSUPI; and the serving network name.

Upon reception of the Nudm_UEAuthentication_Get Request, UDM/ARPF 708invokes a Subscription Identifier De-concealing Function (SIDF, notexpressly shown) if a SUPI type is SUPI plus SQN_(MS), (see, e.g., FIG.5 ) and SIDF de-conceals SUCI to gain SUPI and SQN_(MS) before UDM/ARPF708 can process the request.

In step 5, based on SUPI, UDM/ARPF 708 chooses the authenticationmethod. SQN_(MS) is stored in UDM/ARPF 708 for future use. At UDM/ARPF708, an authentication vector is generated with the existing SQN_(HE).

Note that a Nudm_UEAuthentication_Get Response in reply to aNudm_UEAuthentication_Get Request and aNausf_UEAuthentication_Authenticate Response message in reply to aNausf_UEAuthentication_Authenticate Request message may be generated ina typical manner. Note also that SQN_(MS) is not considered forauthentication vector generation in illustrative embodiments.

Assuming the methodology 700 of FIG. 7 has occurred, FIGS. 8 and 9illustrate an authentication success case and an authentication failurecase, respectively.

FIG. 8 illustrates a methodology 800 for an authentication success case,according to an illustrative embodiment. More particularly, FIG. 8 showsthe success case of a 5G AKA authentication procedure, which is the sameas is described in the above-referenced TS.33.501. That is, there is noimpact to the current call flow for a successful authenticationprocedure. As illustratively depicted, methodology 800 comprisessteps/operations executed by, and message/call flows between, UE 702,SEAF 704 (AMF/SEAF), an AUSF 706, and a UDM/ARPF 708.

In step 1, UDM/ARPF 708 generates an Authentication Vector (AV).

In step 2, UDM/ARPF 708 sends Nudm_Authentication_Get Response (5G HEAV, [SUPI]) to AUSF 706.

In step 3, AUSF 706 stores XRES*.

In step 4, AUSF 706 calculates HXRES*.

In step 5, AUSF 706 sends Nausf_UEAuthentication_Authenticate Response(5G SE AV) to SEAF 704.

In step 6, SEAF 704 send Authentication Request to UE 702.

In step 7, UE 702 calculates Authentication Response (RES*).

In step 8, UE 702 sends Authentication Response to SEAF 704.

In step 9, SEAF 704 calculates HRES* and compares it to HXRES*.

In step 10, SEAF 704 sends Nausf_UEAuthentication_Authenticate Request(RES*) to AUSF 706.

In step 11, AUSF 706 verifies RES*.

In step 12, AUSF 706 sends Nausf_UEAuthentication_Authenticate Response(Result, [SUPI], Kseaf) to SEAF 704.

FIG. 9 illustrates a methodology 900 for an authentication failure case,according to an illustrative embodiment. More particularly, FIG. 9 showsthe failure case of a 5G AKA authentication procedure, and how thepreviously stored SQN_(MS) is advantageously already available. Asillustratively depicted, methodology 900 comprises steps/operationsexecuted by, and message/call flows between, UE 702, SEAF 704(AMF/SEAF), AUSF 706, and UDM/ARPF 708.

In step 1, for each Nudm_Authenticate_Get Request, UDM/ARPF 708 createsa 5G HE Authentication Vector (AV). UDM/ARPF 708 does this by generatingan AV with the Authentication Management Field (AMF) separation bit setto “1” as defined in the above-referenced TS 33.102. Note that detailsof authentication operations mentioned below can be found incorresponding annexes of the above-referenced TS 33.102. UDM/ARPF 708then derives K_(AUSF) and calculates XRES*. Finally, UDM/ARPF 708creates a 5G HE AV from RAND, AUTN, XRES*, and K_(AUSF).

In step 2, UDM/ARPF 708 then returns the 5G HE AV to AUSF 706 togetherwith an indication that the 5G HE AV is to be used for 5G AKA in aNudm_UEAuthentication_Get Response. In case SUCI was included in theNudm_UEAuthentication_Get Request, UDM/ARPF 708 includes the SUPI in theNudm_UEAuthentication_Get Response.

In step 3, AUSF 706 stores the XRES* temporarily together with thereceived SUCI or SUPI.

In step 4, AUSF 706 then generates the 5G AV from the 5G HE AV receivedfrom UDM/ARPF 708 by computing the HXRES* from XRES* and K_(SEAF) fromK_(AUSF) (according to Annex A.6), and replacing the XRES* with theHXRES* and K_(AUSF) with K_(SEAF) in the 5G HE AV.

In step 5, AUSF 706 then removes the K_(SEAF) and returns the 5G SE AV(RAND, AUTN, HXRES*) to SEAF 704 in aNausf_UEAuthentication_Authenticate Response.

In step 6, SEAF 704 sends RAND, AUTN to UE 702 in a NAS messageAuthentication-Request. This message also includes the ngKSI that willbe used by UE 702 and AMF 704 to identify the K_(AMF) and the partialnative security context that is created if the authentication issuccessful. This message also includes the ABBA parameter. The SEAF 704sets the ABBA parameter.

In step 7, the ME in UE 702 forwards the RAND and AUTN received in a NASmessage Authentication Request to the USIM in UE 702. Upon receipt ofthe RAND and AUTN, the USIM verifies the freshness of the 5G AV bychecking whether AUTN can be accepted as described in theabove-referenced TS 33.102. If the verification of the AUTN fails, thenthe USIM indicates to the ME the reason for failure.

In step 8, the ME responds with a NAS message Authentication Failureonly with a CAUSE value indicating the reason for failure (as SQNfailure/mismatch). AUTS is not calculated by the UE 702 and not sharedto the network. UE 702 sends the Authentication Failure message to SEAF704.

In step 9, upon receiving the Authentication Failure message from UE702, SEAF 704 sends a Nausf_UEAuthentication_Authenticate Requestmessage to AUSF 706.

In step 10, AUSF 706 sends a Nudm_UEAuthentication_Get Request messageto UDM/ARPF 708.

In step 11, when UDM/ARPF 708 receives a Nudm_UEAuthentication_GetRequest message, it functions as described in the above-referenced TS33.102 where ARPF is mapped to HE/AuC (Authentication Center). UDM/ARPF708 sends a Nudm_UEAuthentication_Get Response message with a newauthentication vector (AV) by considering the SQN_(MS) from the database(i.e., SQN_(MS) received in Nudm_UEAuthentication_Get Request). AUSF 706then performs a new authentication procedure with UE 702 according tothe above-referenced TS 33.501 depending on the authentication methodapplicable for UE 702.

Accordingly, in accordance with illustrative embodiments, on the USIM,during the ECIES procedure of primary authentication, a new SUPI type isadded, and SQN_(MS) is concatenated with SUPI (plain text block). At theUDM, when the SUPI indicates ‘SUPI plus SQN_(MS)’, the de-concealmentoperation disassociates SUPI and SQN_(MS). UDM stores SQN_(MS)temporarily until the success or failure of the authentication is known.There is no change to any entities if the authentication succeeds. Ifthere is an authentication failure at the UE, the UE sends only anauthentication failure message to the HE with an SQN failure cause code(the cause code may be the existing value or a new value), without AUTS.At the UDM, if an authentication failure message with cause code (SQNfailure) is received, the stored value of SQN_(MS) received at theinitial step is processed. The UDM synchronizes its value of SQN, i.e.,SQN_(HE)=SQN_(MS). A new cause code value in the authentication failuremessage for the UE can indicate to the UDM that SQN_(MS) has alreadybeen sent to the UDM and UDM should use the stored SQN_(MS). If theexisting cause code value is used, then the UDM state machine has toremember the early receipt of SQN_(MS) and use that value whileprocessing the authentication failure message from the UE. Sequencenumber management profiles and synchronization procedures detailed inthe above-reference TR 33.102 are kept intact and not altered.

Advantageously, illustrative embodiments provide solutions, as describedherein, that prevent SQN leakage by an attacker with minimal changes tothe UE and UDM. The solutions do not affect any entity between the USIMand home network. The solutions can work as an additional authenticationoption for 5G AKA protocol, along with the current options. Noadditional security functions or protocols are introduced. In case ofauthentication failure, the UE need not perform AUTS computation, whichsaves compute cycles and power.

The particular processing operations and other system functionalitydescribed in conjunction with the diagrams described herein arepresented by way of illustrative example only, and should not beconstrued as limiting the scope of the disclosure in any way.Alternative embodiments can use other types of processing operations andmessaging protocols. For example, the ordering of the steps may bevaried in other embodiments, or certain steps may be performed at leastin part concurrently with one another rather than serially. Also, one ormore of the steps may be repeated periodically, or multiple instances ofthe methods can be performed in parallel with one another.

It should again be emphasized that the various embodiments describedherein are presented by way of illustrative example only and should notbe construed as limiting the scope of the claims. For example,alternative embodiments can utilize different communication systemconfigurations, user equipment configurations, base stationconfigurations, provisioning and usage processes, messaging protocolsand message formats than those described above in the context of theillustrative embodiments. These and numerous other alternativeembodiments within the scope of the appended claims will be readilyapparent to those skilled in the art.

What is claimed is:
 1. An apparatus comprising: at least one processor;at least one memory including computer program code; the at least onememory and the computer program code being configured to, with the atleast one processor, cause the apparatus at least to: obtain a permanentidentifier and an authentication sequence value that are unique to theapparatus; conceal the permanent identifier and the authenticationsequence value; and send the concealed permanent identifier and theauthentication sequence value in a registration message to acommunication network.
 2. The apparatus of claim 1, wherein the at leastone memory and the computer program code being configured to, with theat least one processor, further cause the apparatus to: combine thepermanent identifier and the authentication sequence value prior toconcealment.
 3. The apparatus of claim 1, wherein the at least onememory and the computer program code being configured to, with the atleast one processor, further cause the apparatus to: in response toreceipt of an authentication request message from the communicationnetwork, send a response message to the communication network containinga failure cause indication without a re-synchronization token.
 4. Theapparatus of claim 1, wherein the at least one memory and the computerprogram code being configured to, with the at least one processor,further cause the apparatus to: in response to receipt of anauthentication request message from the communication network, send aresponse message to the communication network containing a failure causeindication without a re-synchronization token, wherein the failure causeindication indicates that the authentication sequence value had beensent earlier.
 5. The apparatus of claim 1, wherein the apparatus is partof user equipment configured for 5G authentication operations and thecommunication network is part of a 5G core network.
 6. The apparatus ofclaim 5, wherein the permanent identifier comprises a subscriberpermanent identifier (SUPI) and the authentication sequence valuecomprises a sequence number (SQN) that are concatenated and encrypted aspart of a subscriber concealed identifier (SUCI) and sent in theregistration message.
 7. The apparatus of claim 1, wherein concealingthe permanent identifier and the authentication sequence value comprisesutilizing a combination of the permanent identifier and theauthentication sequence value as an input to an encryption algorithm. 8.The apparatus of claim 7, wherein the encryption algorithm comprises anelliptic curve integrated encryption scheme.
 9. The apparatus of claim7, wherein the combination of the permanent identifier and theauthentication sequence value comprises a concatenation of the permanentidentifier and the authentication sequence value.
 10. An apparatuscomprising: at least one processor; at least one memory includingcomputer program code; the at least one memory and the computer programcode being configured to, with the at least one processor, cause theapparatus at least to: obtain a permanent identifier and anauthentication sequence value that are unique to the apparatus; concealthe permanent identifier and the authentication sequence value; send theconcealed permanent identifier and the authentication sequence value ina registration message to a communication network; and combine thepermanent identifier and the authentication sequence value prior toconcealment; wherein combining the permanent identifier and theauthentication sequence value prior to concealment further comprisesconcatenating the permanent identifier and the authentication sequencevalue to generate a single plain text block that is concealed and sentin the registration message.
 11. A method comprising: obtaining apermanent identifier and an authentication sequence value that areunique to user equipment; concealing the permanent identifier and theauthentication sequence value; and sending the concealed permanentidentifier and the authentication sequence value in a registrationmessage from the user equipment to a communication network.
 12. Themethod of claim 11, further comprising combining the permanentidentifier and the authentication sequence value prior to concealment.13. The method of claim 11, further comprising, in response to receiptof an authentication request message from the communication network,sending a response message to the communication network containing afailure cause indication without a re-synchronization token.
 14. Themethod of claim 11, further comprising, in response to receipt of anauthentication request message from the communication network, sending aresponse message to the communication network containing a failure causeindication without a re-synchronization token, wherein the failure causeindication indicates that the authentication sequence value had beensent earlier.
 15. The method of claim 11, wherein the user equipment isconfigured for 5G authentication operations and the communicationnetwork is part of a 5G core network.
 16. The method of claim 15,wherein the permanent identifier comprises a subscriber permanentidentifier (SUPI) and the authentication sequence value comprises asequence number (SQN) that are concatenated and encrypted as part of asubscriber concealed identifier (SUCI) and sent in the registrationmessage.
 17. The method of claim 11, wherein concealing the permanentidentifier and the authentication sequence value comprises utilizing acombination of the permanent identifier and the authentication sequencevalue as an input to an encryption algorithm.
 18. The method of claim17, wherein the encryption algorithm comprises an elliptic curveintegrated encryption scheme.
 19. The method of claim 17, wherein thecombination of the permanent identifier and the authentication sequencevalue comprises a concatenation of the permanent identifier and theauthentication sequence value.
 20. A method comprising: obtaining apermanent identifier and an authentication sequence value that areunique to user equipment; concealing the permanent identifier and theauthentication sequence value; sending the concealed permanentidentifier and the authentication sequence value in a registrationmessage from the user equipment to a communication network; andcombining the permanent identifier and the authentication sequence valueprior to concealment; wherein combining the permanent identifier and theauthentication sequence value prior to concealment further comprisesconcatenating the permanent identifier and the authentication sequencevalue to generate a single plain text block that is concealed and sentin the registration message.
 21. An article of manufacture comprising anon-transitory computer-readable storage medium having embodied thereinexecutable program code that when executed by a processor causes theprocessor to perform the steps of: obtaining a permanent identifier andan authentication sequence value that are unique to user equipment;concealing the permanent identifier and the authentication sequencevalue; and sending the concealed permanent identifier and theauthentication sequence value in a registration message from the userequipment to a communication network.
 22. The article of claim 21,further comprising the step of combining the permanent identifier andthe authentication sequence value prior to concealment.
 23. The articleof claim 21, further comprising the step of, in response to receipt ofan authentication request message from the communication network,sending a response message to the communication network containing afailure cause indication without a re-synchronization token.
 24. Thearticle of claim 21, further comprising the step of, in response toreceipt of an authentication request message from the communicationnetwork, sending a response message to the communication networkcontaining a failure cause indication without a re-synchronizationtoken, wherein the failure cause indication indicates that theauthentication sequence value had been sent earlier.
 25. The article ofclaim 21, wherein concealing the permanent identifier and theauthentication sequence value comprises utilizing a combination of thepermanent identifier and the authentication sequence value as an inputto an encryption algorithm.
 26. The article of claim 21, wherein theencryption algorithm comprises an elliptic curve integrated encryptionscheme.
 27. The article of claim 21, wherein the combination of thepermanent identifier and the authentication sequence value comprises aconcatenation of the permanent identifier and the authenticationsequence value.
 28. An article of manufacture comprising anon-transitory computer-readable storage medium having embodied thereinexecutable program code that when executed by a processor causes theprocessor to perform the steps of: obtaining a permanent identifier andan authentication sequence value that are unique to user equipment;concealing the permanent identifier and the authentication sequencevalue; sending the concealed permanent identifier and the authenticationsequence value in a registration message from the user equipment to acommunication network; and combining the permanent identifier and theauthentication sequence value prior to concealment; wherein combiningthe permanent identifier and the authentication sequence value prior toconcealment further comprises concatenating the permanent identifier andthe authentication sequence value to generate a single plain text blockthat is concealed and sent in the registration message.